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DETAILED ACTION 

1 . Applicant's arguments filed September 21 , 2007, have been fully considered but 
are not persuasive. 

2. Claims 1-57 are pending and have been examined. 

Response to Amendment 

3. The amendments to the specification are accepted. 

4. Regarding the arguments against Garcia, Examiner respectfully points to col. 7, 
lines 20-45, where the structure of the header is described, and further states that the 
security portion is included in the header, thus it travels with the file, and can therefore 
be accessed offline. Furthermore, pre-authorizing users is anticipated by Garcia, since a 
file is created and the rriembers of a group are allowed access to it, i.e. the members of 
the group are "pre-authorized" to access the file. 

5. Garcia ftjrther teaches providing message authentication codes (to authenticate 
the file has not been tampered with) and doing so using XML, with a pointer pointing to 
where the security / key / message authentication codes are found (fig. 3B, col. 7, lines 
20-45), i.e. synchronization occurs when online. Applicant's arguments are not 
persuasive. 

Claim Rejections - 35 USC § 102 

* 

6. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

7. Claims 1-8, 10-17, 19-30, 32-39, and 41-57 are rejected under 35 
U.S.C. 102(e) as being anticipated by Garcia (US Patent 7,178,033). 
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Regarding claims 1 and 23, Garcia teaches receiving a request from a client 
(col. 11, lines 55-67); and pre-authorizing the client, in response to the request, to allow 
actions by a user as a member of a group of users by sending to the client offline 
access information comprising a first key associated with the group, the first key being 
useable at the client to access an electronic document while offline by decrypting a 
second key in the electronic document (col. 11, lines 40-67, col. 12, lines 1-31). 

Regarding claims 12 and 34, Garcia teaches receiving from a document control 
server, when online, offline access information comprising a first key associated with a 
group of users of the document control server (col. 11, lines 55-67); and allowing 
access to an electronic document, when offline, by performing operations comprising 
using the first key to decrypt a second key in the electronic document and governing 
actions with respect to the electronic document based on document-permissions 
information associated with the electronic document (col. 11, lines 40-67, col. 12, lines 
1-31). 

Regarding claims 19 and 41, Garcia teaches encrypting an electronic document 
(col. 11, lines 55-67); and incorporating into the encrypted electronic document an 
address of a document control server, document-permissions information, and an 
encryption key useable in decrypting the encrypted electronic document, the encryption 
key being encrypted with a key generated by, and associated with a group of users of, 
the document control server (col. 11, lines 40-67, col. 12, lines 1-31). 

Regarding claims 45 and 56, Garcia teaches a document control server that 
synchronizes offline access information with a client in response to a client request, the 
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offline access information comprising a first key associated with a group, the first key 
being useable at the client to access an electronic document by decrypting a second 
key in the electronic document (col. 11, lines 40-67); and the client that allows access 
to the electronic document, when offline, by a user as a member of the group, using the 
first key to decrypt the second key in the electronic document and governing actions 
with respect to the electronic document based on document-permissions information 
associated with the electronic document (col. 11, lines 40-67, col. 12, lines 1-31). 

Regarding claim 2 and 24, Garcia teaches wherein pre-authorizing the client 
comprises comparing a time of last recorded client-synchronization with a time of last 
change in user-group information for the user (col. 11, lines 40-67, col. 12, lines 32- 
65, fig. 3B). 

Regarding claims 3 and 25, Garcia teaches wherein pre-authorizing the client, 
comprises comparing current user-group information for the user with received user- 
group information for the user from the client (col. 13, lines 40-67). 

Regarding claims 4 and 26, Garcia teaches wherein the client allows actions 
with respect to the electronic document based on document-permissions information 
residing in the electronic document (col. 13, lines 40-67). 

Regarding claims 5 and 27, Garcia teaches wherein the offline access 
information further comprises document-permissions information associated with 
multiple documents, including the electronic document, and the client allows actions 
with respect to the electronic document based on the document-permissions information 
(col. 13, lines 40-67, col. 14, lines 22-67). 
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Regarding claims 6 and 28, Garcia teaches wherein receiving a request 
comprises receiving a request from the client to take an action with respect to a second 
document (col. 13, lines 40-67). 

Regarding claims 7 and 29, Garcia teaches verifying the user at the client as an 
authenticated user (col. 13, lines 40-67). 

Regarding claims 8 and 30, Garcia teaches wherein the offline access 
information further comprises: at least one user-specific key; at least one group-specific 
key, including the first key; and at least one set of document-permissions information 
associated with multiple documents (col. 13, lines 40-67, col. 14, lines 22-67). 

Regarding claims 10 and 32, Garcia teaches wherein the at least one set of 
document-permissions information comprises one or more policies associated with the 
second document, and the offline access information further comprises a document 
revocation list (col. 13, lines 40-67, col. 14, lines 22-67). 

Regarding claims 11 and 33, Garcia teaches wherein the offline access 
information further comprises at least one set of document-permissions information 
associated with a specific document selected based on synchronization prioritization 
information (col. 13, lines 40-67, col. 14, lines 22-67). 

Regarding claims 13 and 35, Garcia teaches wherein governing actions with 
respect to the electronic document comprises obtaining the document-permissions 
information from the electronic document (col. 13, lines 40-67, col. 14, lines 22-67). 

Regarding claims 14 and 36, Garcia teaches wherein governing actions with 
respect to the electronic document comprises: identifying a document policy reference 
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in the electronic document; and obtaining locally retained document-permissions 
information based on the document policy reference (col. 13, lines 40-67, col. 14, lines 
22-87). 

Regarding claims 15 and 37, Garcia teaches wherein the offline access 
information comprises at least one user-specific key, at least one group-specific key, 
including the first key, at least one set of document-permissions information associated 
with multiple documents, and a document revocation list (col. 13, lines 40-67, col. 14, 
lines 22-67). 

Regarding claims 16 and 38, Garcia teaches preventing access to the 
document, when offline, if a difference between a current time and a receipt time of the 
offline access information exceeds a server-synchronization-frequency parameter (col. 
11, lines 40-67, col. 12, lines 32-65, fig. 3B). 

Regarding claims 17 and 39, Garcia teaches wherein the server- 
synchronization-frequency parameter is specific to the document (col. 11, lines 40-67, 
col. 12, lines 32-65, fig. 3B). 

Regarding claims 20 and 42, Garcia teaches wherein the encryption key 
comprises a session key generated by the document control server, encrypting the 
electronic document comprises encrypting the electronic document using a document 
key, and incorporating comprises incorporating into the encrypted electronic document 
a document security payload comprising the document key and the document- 
permissions information, the document security payload being encrypted using the 
session key (col. 11, lines 40-67, col. 12, lines 1-65). 
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Regarding claims 21 and 43, Garcia teaches wherein the document secuhty 
payload further comprises a document identifier assigned by the document control 
server, and incorporating further comprises incorporating into the encrypted electronic 
document a copy of the session key encrypted using a public key associated with the 
document control server (col. 11, lines 40-67, col. 12, lines 1-65). 

Regarding claims 22 and 44, Garcia teaches wherein the document- 
permissions information specifies access permissions at a level of granularity smaller 
than the electronic document (col. 11, lines 40-67, col. 12, lines 1-65). 

Regarding claim 46, Garcia teaches wherein the electronic document comprises 
the document-permissions information (col. 11, lines 40-67, col. 12, lines 1-65). 

Regarding claim 47, Garcia teaches wherein the second key comprises a 
session key generated by the document control server, and the electronic document 
further comprises a document security payload comprising a document key and the 
document-permissions infomiation, the document security payload being encrypted 
using the session key (col. 11, lines 40-67, col. 12, lines 1-65). 

Regarding claim 48, Garcia teaches wherein the offline access information 
further comprises; at least one user-specific key; at least one group-specific key, 
including the first key; and at least one set of document-permissions information 
associated with multiple documents (col. 13, lines 40-67, col. 14, lines 22-67). 

Regarding claim 49, Garcia teaches wherein the client comprises an agent that 
periodically contacts the document control server to synchronize the offline access 
information (col. 11, lines 40-67, col. 12, lines 32-65, fig. 3B). 
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Regarding claim 50, Garcia teaclies wherein the document control server 
comprises: a server core with configuration and logging components; an internal 
services component that provides functionality across dynamically loaded methods; and 
dynamically loaded external service providers, including one or more access control 
service providers (col. 16, lines 31-67). 

Regarding claim 51, Garcia teaches a business logic tier comprising a cluster of 
document control servers, including the document control server; an application tier 
including the client comprising a viewer client, a securing client, and an administration 
client; and a load balancer that routes client requests to the document control servers 
(col. 15, lines 29-67, col. 16, lines 1-31). 

Regarding claim 52, Garcia teaches wherein the client request comprises a 
request from the client to take an action with respect to a second document (col. 15, 
lines 29-67, col. 16, lines 1-31). 

Regarding claim 53, Garcia teaches wherein the document control server 
comprises a permissions-broker server including a translation component, the second 
document comprises a document secured previously by the permissions-broker server, 
and the translation component being operable to translate first document-permissions 
Information In a first permissions-definition format into second document-permissions 
information in a second permissions-definition format in response to the request being 
received from the client (col. 15, lines 29-67, col. 16, lines 1-31). 

Regarding claim 54, Garcia teaches wherein the server comprises a 
permissions-broker server operable to Identify infonnation associated with the second 
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document in response to the request, the associated information being retained at the 
server and indicating a third electronic document different from and associated with the 
second document, the server being operable to relate information concerning the third 
electronic document to the client to facilitate the action to be taken (col. 15, lines 29-67, 
col. 16, lines 1-31). 

Regarding claim 55, Garcia teaches wherein the server comprises a 
pennissions-broker server operable to obtain and send, in response to the request, a 
software program comprising instructions operable to cause one or more data 
processing apparatus to perform operations effecting an authentication procedure, and 
the client uses the authentication program to identify a current user and control the 
action with respect to the second document based on the current user and document- 
permissions information associated with the second document (col. 1 5, lines 29-67, 
col. 16, lines 1-31). 

Regarding claim 57, Garcia teaches server means for dynamically obtaining 
and sending authentication processes in response to client requests to take actions with 
respect to electronic documents; and client means for interfacing with a received 
authentication process to identify a current user and for controlling actions with respect 
to electronic documents based on the cun-ent user and document-permissions 
information (col. 15, lines 29-67, col. 16, lines 1-31). 

Claim Rejections - 35 USC § 103 
8. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 
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9. Claims 9, 18, 31, and 40 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Garcia, and further in view of DeMarines (NPL "Authentica: 
Content Security for the Enterprise"). 

Regarding claims 9 and 31, Garcia does not expressly disclose receiving an 
offline audit log from the client. However, DeMarines teaches receiving an offline audit 
log from the client (page 10). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to provide offline audit logs. 
One of ordinary skill in the art would have been motivated to perform such a 
modification to keep track of offline access to secured files (DeMarines, pp. 2-3). 

Regarding claims 18 and 40, Garcia does not expressly disclose maintaining an 
offline audit log; and uploading the offline audit log when online. However, DeMarines 
teaches maintaining an offline audit log; and uploading the offline audit log when online 
(page 10). Therefore, it would have been obvious to one having ordinary skill in the art 
at the time the invention was made to provide offline audit logs. One of ordinary skill in 
the art would have been motivated to perform such a modification to keep track of 
offline access to secured files (DeMarines, pp. 2-3). 

Conclusion 

10. Examiner's Note: Examiner has cited particular columns and line numbers in the 
references as applied to the claims below for the convenience of the applicant. Although 
the specified citations are representative of the teachings in the art and are applied to 
the specific limitations within the individual claim, other passages and figures may apply 
as well. It is respectfully requested that the applicant, in preparing the responses, fully 
consider the references in entirety as potentially teaching all or part of the claimed 
invention, as well as the context of the passage as taught by the prior art or disclosed 
by the examiner. 
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1 1 . Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of ttie extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

12. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to David Garcia Cervetti whose telephone number is 
(571)272-5861. The examiner can normally be reached on Monday-Tuesday and 
Thursday-Friday. 

13. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on (571)272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

14. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-91 99 (IN USA OR CANADA) or 571-272-1 000. 



/David Garcia Cervetti/ 




